Redefining Cybersecurity Policy

University of Pittsburgh - School of Law; University of Pittsburgh - School of Information Sciences; Yale University - Information Society Project; University of Pittsburgh - Graduate School of Public & International Affairs

Date Written: September 5, 2016

Abstract

Cybersecurity policy currently is views security as an exercise in risk prevention. Questions such as "how do we stop attackers" pervade the discourse both in technical cybersecurity planning and legal and organizational policymaking. This view of security – which departs from centuries of accepted practices in other areas of security – is beneficial to exactly one group: attackers.

This is an extremely rough draft of what will become a book proposal I tentatively am calling "Redefining Cybersecurity." The central thesis is about cybersecurity policymaking and the technical practices those policies drive "on the ground." It argues that those policies drive these practices toward risk "prevention" styles of management when cybersecurity practice is more effective as risk management exercises (for efficiency, efficacy, and possibly normative reasons).

What follows is a draft table of contents of the book project, and an early working draft of a chapter which focuses the thesis above. This draft chapter, Redefining Cybersecurity Policy, attempts to articulate much of the argument of the larger book. This work follows on from my PLSC paper in 2015, Cybersecurity Stovepiping, which provides an example case study of the failure of rigid risk prevention-based policymaking.